Juniper EX Configuration
I never write about my experience maintaining or configuring network switches, mainly because the options provided for declaring configuration are not impressive. Most proprietary switches provide a CLI for interactive use, but no means of applying this configuration apart from vendor-specific protocols.
JunOS is proprietary, but provides a far better story:
- A sandboxed FreeBSD 11 userland with modern SSH protocols
- Tools for loading, merging and displaying the diff of a configuration
These are notes on configuring the Juniper EX2300-C-12P for my home office using rset(1).
USB console
Juniper switches can be accessed using a USB cable since have a built-in UART
uslcom0 at uhub0 port 4 configuration 1 interface 0 "Silicon Labs CP2104 USB to UART Bridge Controller" rev 2.00/1.00 addr 8 ucom0 at uslcom0 portno 0
To switch output to the USB console run
set system ports auxiliary port-type mini-usb
Manual configuration can now be handled from my from my OpenBSD router using
cu -l cuaU0
Configuring SSH
The next step is to establish network access using a management interface
set interfaces me0 unit 0 family inet address 192.168.0.7/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.0.3
Optionally disable the alarm LED if this interface will only be used for unitial provisioning
set chassis alarm management-ethernet link-down ignore
Set accepted cypers
set system services ssh hostkey-algorithm ssh-ed25519
Add users
set system login user eradman class super-user set system login user eradman authentication ssh-ed25519 "ssh-ed25519 key..."
Once we have settled on a network design we can bring up a layer 3 interface and assign an IP address that is accessible on a VLAN instead
set interfaces irb unit 80 description wired-network set interfaces irb unit 80 family inet address 192.168.0.7/24
Upgrading JunOS
> show version > request system software add http://192.168.0.11/junos-arm-32-18.2R3-S5.3.tgz reboot
Or if there isn't enough space
> request system software add http://192.168.0.11/junos-arm-32-18.2R3-S5.3.tgz force unlink no-copy
Remote Sequential Execution Tool
Enabling root login provides access to the Unix shell over SSH, which will allow us to use rset(1) to configure the switch!
set system root-authentication ssh-ed25519 "ssh-ed25519 key..." set system services ssh root-login deny-password
Now that we have SSH access to the JunOS/FreeBSD userland we can add a route entry
# routes.pln 192.168.0.7: juniper/ ex2300-c.pln
Change the default connecting user to
root
# ssh_config Host 192.168.0.7 ConnectTimeout=10 User root
Define a simple label to test connectivity
# ex2300-c.pln
_ping:
hostname
Run using
rset -F ssh_config -x ping 192.168.0.7
Now we can write down commands to run using the Juniper cli tool
# ex2300-c.pln interfaces: cli <<-!! configure load set juniper/ex2300-c show | compare !! # vim:noexpandtab:syntax=sh:ts=4
Trunking to an OpenBSD Router
First we'll define the vlans on the switch
# juniper/ex2300-c set vlans vlan80 description wired set vlans vlan80 vlan-id 80 set vlans vlan80 l3-interface irb.80 set vlans vlan81 description wireless set vlans vlan81 vlan-id 81 set vlans vlan81 l3-interface irb.81
Set interfaces to
trunk
mode to accept 802.1q frames
edit interfaces ge-0/0/0 set description "Uplink to router" edit unit 0 family ethernet-switching set interface-mode trunk set vlan members vlan80 set vlan members vlan81 exit exit
On the OpenBSD host ensure the physical interface is up and define the VLANs
# hostname.em0
up
# hostname.vlan0 parent em0 vnetid 80 inet 192.168.0.3/24
# hostname.vlan1 parent em0 vnetid 81 inet 192.168.1.3/24
To install these using rset(1), I often use a shell loop and set a variable to indicate the network needs to be reconfigured
# apu4d2.pln network: let changed=0 for interface in em0 vlan0 vlan1 do ./rinstall -m 640 apu4d2/hostname.$interface /etc/hostname.$interface && changed=1 done [ $changed -ge 0 ] && sh /etc/netstart # vim:noexpandtab:syntax=sh:ts=4
Aggregate Links
Tagged or untagged interfaces may be set up for redundancy
set interfaces ge-0/0/10 ether-options 802.3ad ae0 set interfaces ge-0/0/11 ether-options 802.3ad ae0 edit interfaces ae0 description "apu4d2 em0,em1" aggregated-ether-options lacp active edit unit 0 family ethernet-switching set interface-mode access set vlan members vlan80 exit exit exit
On the OpenBSD host, configure an aggregate interface and it's members.
There is some mismatched terminology here, since
trunkport
on OpenBSD implements LACP, not VLAN tagging.
# /etc/hostname.aggr0 trunkport em0 trunkport em1 up # /etc/hostname.em0 up # /etc/hostname.em1 up
POE
JunOS is far more adaptable to configuration management than most switches
since changes stage before committing. Another feature is the ability to
clear a section using
delete
to ensure the entire category has been redefined
delete poe set poe interface ge-0/0/6 set poe interface ge-0/0/7
Note: POE+ capable devices are designated in the model number with the suffix "P"
Routed VLANs
By assigning an IP address to each VLAN L3 interface traffic can be routed between LANs on the switch.
set interfaces irb unit 80 family inet address 192.168.0.7/24 set interfaces irb unit 81 family inet address 192.168.1.7/24 set interfaces irb unit 82 family inet address 192.168.2.7/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.0.3
To take advantage of the routed VLAN interfaces, adjust the default gateway for each subnet
# /etc/dhcpd.conf subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.7; } subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.7; } subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.7; }
Links
fs.com has everything need to assemble tidy cabling and are very easy to use: